Uber confronted a data breach in 2016 that affected some 57 million shoppers, together with each riders and drivers, revealing their names, e-mail deal with and telephone numbers. That affected crew incorporated 50 million riders and 7 million drivers; round 600,000 motive force license numbers for U.S. drivers had been additionally incorporated within the breach, in line with a brand new document from Bloomberg.
Uber didn’t document the incident to regulators or to affected shoppers, however as an alternative paid $100,000 to “hackers” to eliminate the data with a view to stay the breach underneath wraps, in line with the document. It says additional that no safety numbers or shuttle location data was once taken within the assault, and that it doesn’t consider the data that was once leaked was once ever used, despite the fact that it doesn’t specify who was once accountable.
New Uber CEO Dara Khosrowshahi instructed Bloomberg by way of e-mail that whilst he “will not make excuses” for the incident, he additionally believes that “none of this should have happened.” Khosrowshahi, who joined the ride-hailing corporate in August after a seek for a substitute CEO following co-founder Travis Kalanick’s departure, additionally mentioned that Uber did close down the assault vector and larger its security features following the assault, however that it failed in its accountability to document.
Bloomberg says that Kalanick was once conscious about the hack as early as November 2016, only a month after it took place. Uber Chief Security Officer Joe Sullivan, and a key senior deputy to the CSO, have additionally been got rid of from the corporate this week, in particular for his or her roles in conserving the cyberattack secret.
The document says the assault took place as a result of attackers controlled to achieve login credentials for an Uber Amazon Web Services account the use of a non-public GitHub website maintained via Uber engineers.
In a weblog submit addressing the breach, Khosrowshahi laid out plans for the way the corporate will deal with the fallout of the incident, together with bringing on a former NSA common suggest to offer steering to Uber’s safety groups, and notifying drivers whose license numbers had been incorporated within the breach. Uber is not going to simplest notify the drivers, but in addition be offering them credit score tracking and identification robbery coverage products and services, despite the fact that the submit additionally says they haven’t observed “evidence of fraud or misuse tied to the incident.”
We’ve reached out to Uber for added remark, and will replace if we obtain a reaction.
Featured Image: David Paul Morris/Bloomberg by way of Getty Images